Closed cirocosta closed 5 years ago
🙌
- name: vim-runtime
version: 2:8.0.1453-1ubuntu1.1
source_package: vim
location:
uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim-runtime_8.0.1453-1ubuntu1.1_all.deb
name: vim-runtime_2%3a8.0.1453-1ubuntu1.1_all.deb
size: "5435124"
digest: MD5Sum:0ec3148ec2668dfbb8d357dc8f6240e6
source:
- uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim_8.0.1453-1ubuntu1.1.dsc
name: vim_8.0.1453-1ubuntu1.1.dsc
size: "2934"
digest: SHA256:c85b2abcddbd7abc07fb06bc3a1b3fb6b80c2316e787abe05bb4d6909dc831f2
- uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim_8.0.1453.orig.tar.gz
name: vim_8.0.1453.orig.tar.gz
size: "13434095"
digest: SHA256:ddf3f1baf0aa8f2a988bd6ef3ee305a6cd99f365de9024faa2827a1344be8679
- uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim_8.0.1453-1ubuntu1.1.debian.tar.xz
name: vim_8.0.1453-1ubuntu1.1.debian.tar.xz
size: "190292"
digest: SHA256:97553c5f79470dba084e5de2e33805c1222e5233c1d5fb31866fd5bf90d611ec
- name: vim
version: 2:8.0.1453-1ubuntu1.1
source_package: ""
location:
uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim_8.0.1453-1ubuntu1.1_amd64.deb
name: vim_2%3a8.0.1453-1ubuntu1.1_amd64.deb
size: "1151556"
digest: MD5Sum:a1fc106a6538bb091ef9787c07c69de0
source:
- uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim_8.0.1453-1ubuntu1.1.dsc
name: vim_8.0.1453-1ubuntu1.1.dsc
size: "2934"
digest: SHA256:c85b2abcddbd7abc07fb06bc3a1b3fb6b80c2316e787abe05bb4d6909dc831f2
- uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim_8.0.1453.orig.tar.gz
name: vim_8.0.1453.orig.tar.gz
size: "13434095"
digest: SHA256:ddf3f1baf0aa8f2a988bd6ef3ee305a6cd99f365de9024faa2827a1344be8679
- uri: http://archive.ubuntu.com/ubuntu/pool/main/v/vim/vim_8.0.1453-1ubuntu1.1.debian.tar.xz
name: vim_8.0.1453-1ubuntu1.1.debian.tar.xz
size: "190292"
digest: SHA256:97553c5f79470dba084e5de2e33805c1222e5233c1d5fb31866fd5bf90d611ec
damn, it turns out that you can't just drop dpkg -i *.deb
and expect it to work for multiple packages 😅
e.g., estaleiro apt vim build-essential btrfs-tools
altogether --> failure :(
going to have to refactor that part ...
as I'm definitely not in the business of solving deb dependency trees, it seems like the best approach is to provide all of the debian packages through a local trusted directory (deb [trusted=yes] file:/var/lib/estaleiro/apt ./
) so that after we got all of the information necessary from all of the upstream repositories we can just remove everything from sources.list
and then go on with what we got locally, preventing any surprises in terms of reaching to the network to retrieve extra packages (with potentially different versions).
one caveat is that it's necessary to generate a Package
file that lists all packages, and what seems the best way of doing so is leveraging dpkg-dev
(which has many dependencies 😅 )
I'm thinking that it might be good to do all of this outside of the tree of fs changes that leads to the final image in order to avoid polluting it
we could also collect os-release
and make it part of the final bom
🤔
Moving towards a place where we don't store those bill of materials files along the way in each layer that estaleiro
runs on, we could perhaps have those coming from a straight transformation just in the final layer right before the last snapshot 🤔
kind: packages/v1
data:
initial: false
packages:
- name: libssl1.1
version: 1.1.1-1ubuntu2.1~18.04.4
source_package: openssl
architecture: amd64
location:
uri: http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1-1ubuntu2.1~18.04.4_amd64.deb
name: libssl1.1_1.1.1-1ubuntu2.1~18.04.4_amd64.deb
size: "1299616"
md5sum: 41f3ea2b9f5b419550f165975b941f81
source:
- uri: http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1-1ubuntu2.1~18.04.4.dsc
name: openssl_1.1.1-1ubuntu2.1~18.04.4.dsc
size: "2776"
md5sum: 88218150efac41c72aaf0025cd4d481800e0871e5ea045d25c5b10b09f7b0a88
- uri: http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1.orig.tar.gz
name: openssl_1.1.1.orig.tar.gz
size: "8337920"
md5sum: 2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d
- uri: http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1.orig.tar.gz.asc
name: openssl_1.1.1.orig.tar.gz.asc
size: "488"
md5sum: f3296150114069ea73a72eafbfdcbb295b770e7cbf3266f9590f3d0932498b3e
- uri: http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1-1ubuntu2.1~18.04.4.debian.tar.xz
name: openssl_1.1.1-1ubuntu2.1~18.04.4.debian.tar.xz
size: "95260"
md5sum: a373c2612817f3ae929d01ddb9175a6f9ab0ac28a08afe93c88df27fadcc7500
kind: files/v1
data:
- name: b
path: /dest/b
digest: sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
from_tarball:
path: /src/archive.tgz
digest: sha256:da10eb65191c2cbc267632b5d24ea992e322959290041560380537e156006e68
unarchived_location: /dest/estailero-tar584446364
- name: c
path: /dest/c
digest: sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
from_tarball:
path: /src/archive.tgz
digest: sha256:da10eb65191c2cbc267632b5d24ea992e322959290041560380537e156006e68
unarchived_location: /dest/estailero-tar584446364
kind: filesources/v1
data:
/usr/dummy-file:
type: git
ref: ""
repository: https://github.com/cirocosta/estaleiro
/usr/test-file:
type: git
ref: ""
repository: https://github.com/cirocosta/estaleiro
generation of bill of materials (bom)
Having most of the "source to container image" functionality figured out, now we have to get better at generating the bill of materials.
Here are some steps to make that better:
[x] refactor
package
sapt install
apt-get --print-uris $LIST_OF_PACKAGES
)wget -i $uris_file
) and inspect theircontrol
file (for deb in *.deb; do dpkg-deb -I $deb control
)dpkg
dpkg -i *.deb
for pkg in $list_of_packages; do apt-get source --print-uris $pkg ; done
(so that it can fail properly)[x] refactor file addition
estaleiro digest --filename=<> --algorithm=sha256sum
)file
(to regulardest
) and digest (to/var/lib/estaleiro/something.digest
)[x] metadata injection
bom.yml
to the labelset[x] refactor step addition
Below, some context.
the problem space
For each
source
components that bring artifacts into the final image, we must be able to keep record of such additions.At the moment, there are three ways of getting stuff in:
While the first three have no "build-time" dynamic aspect to them, the last one does - a package might have many other dependencies that we don't know beforehand.
That means that we have two types of BOM generation:
For
1
, we can populate theBOM
struct
from within the LLB generation code.For
2
, we must do it from steps at runtime, persisting their results into files that can be accessed later.format
base image
produces
packages
produces
files
from steps
produces
from tarballs
produces